Improvements

• Added the ability to assign tags to scans for better organization and filtering (Read more)
• DAST Scan schedules are no longer shown in the DAST scans page. These are shown in the DAST scheduled scans
• Docker image of internal scanning agent now supports ARM64 architecture
• Added support for MSSP licensing business logic
• Updated DAST engine to handle examples for $ref'd schemas in OpenAPI

New features

• Implemented a feature that allows users to override the severity of vulnerabilities detected in DAST scans (Read more on individual vulnerability's and global severity changes)
• Implemented screenshot capture during DAST scans to improve visibility of the scanning process and authentication failures (Read more)
• Compliance classification information is now included in vulnerability details to support regulatory alignment and audit readiness (Read more)

Improvements

• The platform has been upgraded to Node.js 20.x
• AI-powered features are now enabled by default for new accounts. Account owners retain the ability to turn off these features during account creation (Read more)
• Scanning agent IP addresses are now visible, improving transparency
• Sorting by status on the DAST scans page now automatically uses the scan date as a secondary sort to provide more accurate results
• Scheduled scans can now be assigned custom names to improve identification (Read more on scheduled scans and recurring scans)

Resolved issues

• Resolved an issue where rediscovered vulnerabilities weren't included in scan and target reports
• Fixed an issue where the Download Logs option wasn't available for aborted scans
• Resolved an issue that caused unexpected errors related to missing scan creator information
• Corrected an issue where updated threat levels weren't immediately reflected in the UI after severity changes
• Fixed an issue that prevented reports being generated
• Resolved an issue where API specifications and related scans weren't displayed correctly for certain targets
• Fixed an issue where Issue URLs weren't visible within the Vulnerability tab
• Resolved an issue causing scans to fail when LSR restrictions were used together with imported files
• Fixed an OAuth API validation issue
• Resolved a limitation that prevented successful uploads of larger CSV files
• Added clearer messaging about maximum file size limits for API source uploads (Read more)

Improvements

• Added functionality to store a snapshot of target configuration for each scan
• Internal scanning agent now support proxy when connecting back to the platform
• Improved user messaging to clearly indicate when a scan is automatically aborted after being paused for seven days
• Implemented custom URL rewrite rules for DAST scans on larger sites to improve scan efficiency
• Introduced safeguards to automatically pause recurring scans after five consecutive failures

Resolved issues

• Resolved an issue to improve scheduled scan stability
• Corrected an issue with incorrect links in Runtime SCA Findings
• Fixed a problem that prevented the Scan Detail page from loading correctly
• Optimized internal scanner request handling to reduce excessive request volume
• Upgraded the urllib3 library
• Removed TRACK and DEBUG from Restricted HTTP methods in the UI
• Resolved an issue where false positives and ignored vulnerabilities were still appearing in reports

New features

• Added support for automatic user provisioning during IdP-initiated SAML SSO login

Improvements

• Enhanced the scanning engine to support non-standard OAuth authorization flows

Resolved issues

• Resolved an issue in notifications
• Fixed an issue that limited the Exemptions list to display only the first 50 users
• Resolved a problem where long Scan Profile description caused the profile list to fail loading
• Fixed an issue that prevented users from creating scan schedules when an end date was specified
• Resolved an issue related to notifications not displaying correctly during scans with allowed hosts
• Fixed a synchronization issue to ensure updates to target agents are correctly communicated
• Resolved an issue that allowed duplicate file imports

2025

This section summarizes all releases, features, improvements, and fixes for 2025 as they're added.

New features

• Added CircleCI integration (Read more)

Improvements

• In Automations, the "Report generated" event is now an action within the "Scan completed" event (Read more)

Resolved issues

• Fixed an issue where a vulnerability could be sent to multiple issue trackers (Read more here and here)
• Fixed an issue where editing an existing Jira integration caused authentication issues (Read more)
• Fixed an issue where assignee was removed when editing vulnerability details

• Improved API Insights dashboard to respect user access restrictions, preventing users from viewing results for targets they don't have permission to access. Only users who have access to all targets can view the dashboard (Read more)
• Users can now add bulk comments and tags to vulnerabilites (Read more)
• Enabled users to re-register multiple times using the same NTA token, improving registration flexibility
• Users can now add API specs via URL reference in target settings, allowing the scanner to pull specs at runtime from targets not accessible to Invicti cloud services (Read more)
• NTA now automatically shuts down after multiple failed connection attempts to Invicti Platform (Read more)
• Dark mode is now available
• Added preview capability for REST API specifications (OpenAPI, Swagger, RAML) after uploading (Read more)
• WAFs detected by DAST scanner are reported in the Scan activity log
• Auto-scalable agents (Read more)

Improvements

• Improved user experience when creating API Discovery targets and starting scans
• Addressed design inconsistencies for API discovery and API catalog pages
• Improved API reconstruction speed from network traffic in NTA
• NTA Helm deployments now automatically pull the most recent version, with older versions available upon request
• Minor usability improvements across the app
• API catalog now displays additional target details when clicking on a row (Read more)
• SCIM swagger is now available among API specifications (Read more)
• Forms containing the inv-ignore CSS class are now excluded from DAST scanner testing
• Scan duration calculation now includes scan pause time for more accurate reporting
• Added pagination, sorting, and filtering capabilities to the PCI ASV scans page

• Added a bulk action for retesting vulnerabilities (Read more)
• Updated visibility of items in API discovery to show only unlinked API specs (Read more)
• Implemented API information export capability for API discovery and API catalog
• Updated quick links to documentation and support in User profile
• Implemented hostname variation handling during web crawling to ensure links with different subdomain formats are considered within the same scope
• Implemented an upgrade process for NTA that preserves previous reconstruction context and avoids duplicate findings
• Updated Docker Compose instructions to ensure the latest version of NTA is always used

Resolved issues

• Fixed a typo in user agent list
• Fixed an issue related to the missing pagination
• Fixed visibility of "Vulnerability" column on Trend Matrix page
• Fixed an issue where filtering targets by agent type didn't work correctly
• Implemented clear error messaging for app name length validation during creation
• Fixed a filter label formatting in the UI
• Fixed an issue related to incorrect time zone offset saving for users in GTM +1
• Fixed an issue where the scan duration displayed an incorrect value despite no requests or progress
• Fixed an issue with sorting of API operations in API discovery or catalog
• Fixed an issue with the incorrect base URL displayed on the API Insights dashboard
• Fixed an issue where audit logs for scans stopped by the system incorrectly displayed the user as the one who initiated the action
• Fixed an issue with uploading large files via the API
• Fixed an issue where the the count of vulnerabilites in the scan summary tab is less than actually detected
• Unified pagination options in Automations
• Unified pagination options in Integrations
• Enforced SSO login for users with TOTP configured when organization SSO is enabled
• Updated the design of License page
• Fixed an issue where special characters could be used in the name fields
• Fixed an incompatibility issue with uploading multipart form data via the API hub Swagger page
• Fixed an issue where custom roles weren't updated after changing permission scope
• Fixed counting of total open vulnerabilities in API Insights dashboard
• Fixed visibility issues on internal scanning agent list
• Fixed categorization issue of Audit log export
• Improved data display in Audit log
• Added proof of exploit information in the vulnerability drawer for IAST-enabled scans
• Implemented pagination in API discovery and API catalog
• Added scan end timestamp information to the automated email sent upon scan completion
• Fixed displayed information on failed logins in Audit log
• Fixed an issue where the source type returned by GraphQL didn't match the UI display for API targets
• Extra validation now prevents creating sample issue when mandatory fields are incomplete
• Fixed a loading delay issue on the User/Team creation and editing pages
• Corrected the user status logic to ensure that enabled users aren't incorrectly marked as invite expired, aligning with the intended behavior
• Resolved an issue related to username input handling on the login page
• Fixed UI inconsistencies in the Settings - Automations input for domain entries
• Added more detailed information about export configurations in audit log activity
• Fixed "Automations" button to navigate correctly after a license upgrade
• Addressed the UI and messaging issues on the forgot password page
• Added forward and back navigation buttons to the role drawer for easier navigation
• Improved performance by speeding up loading times when creating and editing user groups
• Issue trackers now correctly show the respective icons in Automations overview
• Better usability when working with email field in Automations

• Added a "Fixed (Unconfirmed)" status to better reflect the status of a vulnerability
• Implemented toggle in Settings to turn on/off the automatic retest of a vulnerability after selecting "Fixed (Unconfirmed)" status (Read more)
• Retesting a "Fixed (Unconfirmed)" vulnerability automatically sets the status to "Fixed" or "Rediscovered" (Read more)
• Added Sensorless API discovery (Read more)
• Scan debug logs are available for download after a scan finishes (Read more)
• User provisioning with SCIM is now supported for Invicti Ultimate users
• Added an ability to filter the user list by user creation method (manually created vs. auto-provisioned) when auto-provisioning is available

Improvements

• Added an ability to use custom cookies during DAST scans when using the LSR
• API Discovery now clearly shows hostname where API specs have been identified
• Token used by Network Traffic Analyzer (NTA) now has extended expiration date to support longer offline periods
• Improved sitemap parsing to handle entries with multiple comma-delimited URLs within a single entry
• Implemented filtering and sorting options for number of operations, discovered and last updated date in API discovery (Read more)
• Implemented the display of PCI compliance status on the PCI scans list
• Updated Chromium to 141.0.7390.122

Resolved issues

• Fixed an issue that prevented users from changing column order on selected list views
• Fixed an issue where GetAssetById didn't return correct asset detail
• Improved handling of whitespaces in the Target URL field during target creation (Read more)
• MTTR now shows "-" instead of "0" when there is no data
• Fixed a navigation issue in "Licensed FQDN's used" list
• Fixed an issue where the user can't change the start date for scheduled scans
• Fixed an issue where the site structure isn't available for scans aborted by the DAST scanner due to network errors
• Fixed an issue where the Project filter by Threat severity displays incorrect results

• Implemented improvements to ensure the coordinator receives a heartbeat signal during the archiving process to prevent scan abortion
• Added an ability to copy custom scan profiles
• Updated requirements for the Internal Agent to specify CPU, RAM, and disk space
• Added logs compression while the scanner is running
• Updated PCI activation request emails to include a masked license key
• Implemented new Engine-based Zero-Config API discovery service
• Updated the design of the grid
• Added information about discovered or reconstructed APIs in the Scan details page
• Improved navigation to currently running scan from the Targets page
• The Executive and API Insights dashboards now include Rediscovered vulnerabilities in the total open counts
• Implemented filtering, sorting, and pagination features for PCI scans
• Increased URL length limit from 1024 to 2048 characters
• Implemented API-only scan capability to improve scan speed and efficiency
• Implemented automatic screenshots when the automated login by the DAST scanner fails; screenshots are included in the scan logs
• Added an updates panel to the Application dashboard. This panel displays last scanned status and tags. Additionally, the Vulnerabilities by scan type widget now shows the container count
• Implemented filtering out third-party APIs during web application scans to improve API discovery accuracy
• Reconstructed REST API specifications are now displayed in the API Discovery view
• Added Vulnerability ID column to the Vulnerabilities page table
• Updated the NIST SO 800-53 report to the latest template Rev5
• Disabled the retest button during a retest scan to prevent multiple concurrent scans for the same vulnerability
• The Settings page has a refreshed look and updated design for improved usability
• Implemented a new automation feature to automatically email a specified scan report upon scan completion
• The Audit Log now records changes made to vulnerabilities

Resolved issues

• Fixed an issue where reports generated by the Vulnerabilities page didn't start
• Fixed an issue where scans remained stuck in the "starting" status before their failure
• Fixed an issue where PCI scan activities weren't shown in UI
• Fixed the “List of URLs / Generic File (.txt/.*)” option to allow uploading files other than .txt
• Fixed the deactivated toggle state for Discovery AI settings
• Fixed an issue where the API Discovery remote target filter wasn't functioning correctly
• Fixed an issue that prevented PCI scans from initiating when an internal agent was inactive
• Fixed update logic for IAST sensor token
• Restricted non-HTTP and non-HTTPS protocols in script initiated DeepScan sessions
• Fixed an issue preventing users without an IAST license from saving target configurations
• Scan profiles now correctly default to a preset when the previously assigned profile is deleted
• Fixed a crash issue during scan
• Fixed an issue where page navigation and data retrieval in "Licensed FQDNs used" weren't working correctly
• Resolved an issue preventing users from editing scan schedules and corrected the incorrect display of scans on the Scan Scheduled page
• Discovery Configuration navigation now correctly highlights the section you are currently in
• Fixed an issue where the "HTTP Authentication required" message was shown incorrectly
• Fixed a missing vulnerability on http://rest.vulnweb.com/
• Resolved an issue where Browser Context creation starts failing after some time
• Fixed an issue where Apigee APIM connection details couldn't be edited after being saved and authenticated
• Queued scans are now displayed correctly
• Fixed an issue where API-SEC permissions were incorrectly enabled for Essentials users
• Updated vulnerability checks to include the new SQL injection in aspnet.testsparker.com
• Prevented Ephemeral Target resuming scan from the UI when excluded hours are encountered
• Fixed an issue where Filtering Targets on Scan Status duplicates some targets
• The flow for LSR with OTP no longer requires an additional step to insert the OTP value
• Fixed an issue where the Filter dropdown doesn't populate after reset
• Fixed client certificate handling to prevent scans from failing due to certificate-related issues
• Fixed an issue where logging in via SSO doesn't work when the user has TOTP/MFA enabled
• Fixed an issue where the Project filter by Threat severity displays incorrect results
• Fixed filtering capability and labeling of the "Remote Target" filter in the API catalog and discovery list
• Fixed an issue where Hidden APIs become visible when filtering data

• API now supports filtering scan results by tags
• Clicking on a target URL now opens the target details drawer
• Added a button to request enabling PCI ASV scans directly in the product via email if the user has Professional/Ultimate license
• Updated the notification instructing users to use Standalone LSR for targets that use internal scan agents
• OTP tokens are now accessible for authorization scripts
• Engine HTTP stats for API scans now include the number of 2xx status codes
• Added the option to configure company details for the PCI ASV Report
• Updated Inventory Endpoints in the API Hub
• Added a filter to show only vulnerable APIs when navigating from the API dashboard to the API catalog
• Added the ability for users to download debug scan logs
• API Security is now available as an add-on for Essentials and Professional editions
• Mapped security checks to their related found vulnerabilities
• Only the Owner role can assign the Owner role and System and Subscription permissions
• Added support for authentication scripts in the LSR
• Added support for multiple BLRs with custom naming
• Added a notification to inform the user when a scan is queued because of excluded hours
• CSV import of Targets now allows specifying a username and password for form authentication

Resolved issues

• Fixed an issue where the Vulnerability Status column was missing from the Trend Matrix
• Restored the missing Jira link on the Vulnerability page
• Updated the Engine to correctly mark API specs loaded via GraphQL Introspection as Crawled instead of Imported
• Fixed performance issues caused by DeepScan Static Analysis leading to slow page loading
• Corrected an error preventing users from saving Max Password Age values greater than 10 days
• Fixed mismatch between Value and Description for Inactivity Timeout in Session and Lockout settings
• Fixed a UI issue where a deleted target was still visible in the Allowed Hosts section
• Fixed an issue where DeepScan wasn't detecting Logout links
• Fixed an issue where the Pattern attribute wasn't sent to the Scanner-AI-Service
• Fixed inconsistency in scan schedule start times between the schedule list and detail views
• Corrected sorting by Vulnerabilities on the Collections page, which previously caused an error
• Fixed an SSO exemption bypass issue on page load
• Resolved timezone errors in scheduled scans
• Fixed an incorrect empty state message on the Collections page
• Fixed an issue where Apigee APIM configurations couldn't be edited after authentication
• Fixed an issue where users integrating with Mulesoft were redirected to an outdated configuration page
• Resolved Jira field mapping inconsistencies
• Fixed a UI issue where the Environment dropdown disappeared when scrolling on the Add Multiple Targets page
• Ensured all “Add API Source” buttons open the same configuration page
• Fixed issue causing Administrators to see empty content on the Settings page
• Resolved inconsistent behavior when deleting custom profiles
• Fixed mismatch between API Vulnerability counts on the Dashboard and other pages
• Fixed an issue where API Insights displayed vulnerabilities even with zero APIs in the Catalog
• Aligned API Insights counts for open vulnerabilities and other dashboard metrics
• Fixed AI-aided login issues on sites requiring YES input during authentication
• Resolved issue preventing users from generating API keys under migrated accounts
• Validated Inventory Service endpoints to confirm proper UserID handling when using M2M tokens

• Mark vulnerability with API tag when it comes from API target only
• Added "view by a time range" options to the Application Trend Matrix
• Added a new API parameter to filter vulnerabilities by severity in the vulnerabilities endpoint
• Added the details about an API operation to the drawer in the API catalog
• Added ability to configure the max scan duration for each Target. This can be used to specific smaller scan limits for scan done as part of CI/CD
• Crawled APIs found are shown only once in API discovery
• Added Invicti API to the list of integrations
• Added an option to create a scan schedule directly from the Target's drawer
• Added records of Applications, Assets, Collections to the Audit Log

Improvements

• Improved error handling of the API Reconstructor to allow retries for failed uploads
• Updated max API spec file size limit to 20 MB when uploaded via target settings

Resolved issues

• Fixed API specification duplication
• Fixed filtering for Invicti NAD in API Discovery
• Fixed an issue where automations created multiple issues out of one vulnerability
• Fixed an issue where hidden APIs were counted in the API dashboard
• Fixed an issue where exporting targets to JSON/CSV file returned empty files
• Target URL in the Most Vulnerable APIs list links to API list
• Added icons to Most recent discovered APIs based on the source type
• Fixed incorrect count of operations in the API dashboard
• Fixed count of Total APIs in API dashboard to reflect only APIs in the API catalog
• Fixed the visibility of Web Discovery for an Essentials package user
• Fixed the visibility of API security features for an Essentials package user
• Fixed the order of buttons for Website discovery and API discovery
• Fixed the order of the scan activity logs for scans with Allowed Host
• Fixed dashboard charts not showing information without DAST targets added
• Fixed filtering of multiple values for a single filter type

• Added Vulnerabilities widgets to the Target Trend Matrix
• The User Agent string is now displayed in Scan Configuration settings for each Target
• Updated the scanner error message for status code 429 (Too Many Requests)
• Added display of Mean Time to Remediate grouped by severity and indicated vulnerabilities exceeding MTTR
• The Vulnerability drawer is now accessible in the Trend Matrix
• Added the ability to export the Trend Matrix to CSV
• Added filtering options for the Trend Matrix
• Introduced the Trend Matrix for Applications
• Improved the display of scan duration in reports
• Added a custom User Agent option in Scan Configuration for Targets
• FQDN utilization is now displayed in the side menu
• Implemented automatic DAST scans in the GitHub Actions CI/CD pipeline

Improvements

• Scan Profiles are now required for CI/CD integrations

Resolved issues

• Resolved an issue that prevented manually entered sensor secrets from being saved
• Enhanced scan summaries to provide clearer explanations for aborted scans
• Resolved multiple issues related to HTTP/2 and LSR processing
• Resolved handling of aborted scans in the command-line tool
• Resolved an issue with restricted HTTP methods to ensure scan script requests are properly blocked
• Resolved an issue with Jira bi-directional sync to ensure status updates are accurately reflected
• Resolved an issue where scan progress displayed 100% without matching the actual scanner status

• Scanning stops automatically when a 429 status is received without a retry-after header
• Implemented Trend Matrix for DAST Targets
• AI-Aided Login automatically regenerates invalid reused LSR files
• Added support for tracking session tokens in URL Parameters for LSR recorder
• DeepScan now scans all path fragments discovered in locations for potential vulnerabilities
• Added a filter on the Vulnerabilities page to show vulnerabilities found on APIs
• Added support in AI-Aided Login for saving AI-generated LSR files
• Improved Agents Page with an updated design for better navigation and readability
• Added the Technologies tab to the Application dashboard
• Added user provisioning with SCIM 2.0 for Teams

• Added the ability to restrict HTTP methods for a DAST scans on a Target
• Added "Export to file" bulk action in Projects
• Added "Sync vulnerabilities" bulk action in Projects
• Added "Last updated" per SAST source in Projects
• Added "Export to file" action in Projects
• Added "Sync vulnerabilities" action in Projects
• Added handling of custom namespaces in specifications for WSDL imports
• Added NTA Standalone mode
• Added details about an API operation to API catalog
• Added "Scan comparison" feature to Past scans tab
• Added a scan message when AI-aided login is used
• Implemented automation to push vulnerabilities into issue trackers every time they are found, creating new or updating existing work items if needed
• Added vulnerability assignment to a specific user
• Implemented standard and compliance reports for Application consolidating all SAST asset vulnerabilities for a comprehensive application security overview
• Added "Most vulnerable technologies" list to the Application dashboard
• Added filtering by application, asset, and environment to the Vulnerabilities page
• Added information on the status and version of the installed NTA to the API sources section in Discovery Configuration

• Enhanced DAST scanner with improved performance and vulnerability detection capabilities
• Fully redesigned user interface and experience
• New Applications feature allows to group related targets under logical application structures
• AI-powered web form auto-completion for DAST scans (Read more)
• AI-powered authentication handling for DAST scans
• Dynamic targets for integration into CI/CD pipelines (Read more)
• Detection of IDOR (Insecure Direct Object Reference) and BOLA (Broken Object Level Authorization) vulnerabilities in APIs (Read more)
• Improved API analysis through stateful scanning capabilities
• Concurrent scan support for internal scanning agents
• Docker-based internal scanning agents
• Simplified Packages
• LLM vulnerability detection (Read more about LLM-based app vulnerability testing, how to configure LLM-scans, and how to verify LLM was scaned during a scan. LLM scanning includes:
  • LLM Command Injection
  • LLM-enabled Server-side Request Forgery (SSRF)
  • LLM Insecure Output Handling
  • Tool Usage Exposure
  • Prompt Injection
  • System Prompt Leakage
  • LLM Fingerprinting (Read more)